- This is certified documentation and is protected for editing by Zimbra Employees & Moderators only.

Once we installed Zimbra Collaboration, we need to be aware of some additional configurations that will allow us to send emails to other Email systems with an improve Security, such Gmail, Hotmail, Yahoo!, etc.
This Wiki article will show the different Email Protection resources that exists, depends of the volume of sent email, will be better to implement only one, or two, or maybe all of them, depends.

SPF

Sender Policy Framework (SPF) is an email validation system, designed to prevent unwanted emails using a spoofing system. To check this common security problem, SPF going to verify the source IP of the email and compare it with a DNS TXT record with a SPF content.

Where needs to be configured?

SPF needs to be configured in the Public DNS

How to configure it?

First of all, generate the TXT SPF DNS entry (using the Mailradar SPF Tool, or something similar), for example with the domain called domain.com and have 3 different entries to add:

The A entry - mail.domain.com

The MX entry - srvmta.domain.com

The IPv4 entry - 60.70.80.90

If in your email system you are using external services like Mailchimp, Salesforce, etc. add them in the include part, for example:

include:servers.mcsv.net (Mailchimp)

include:_spf.salesforce.com (Salesforce)

include:_spf.google.com (Google Apps)

An example will looks like:

Understand the "all" feature in the SPF entry

SPF can be configured in different ways, since neutral to hard fail. Almost 98% of domains are using the ~all (softfail) that means even if something of the SPF entry is wrong against the source Mailserver, mark the mail only like softfail. Here, the complete table to understand the feature all in the SPF

Parameter

Result

Means

+all

pass

Permits all the email, like have nothing configured.

-all

fail

Will only mark the email like pass if the source Email Server fits exactly, IP, MX, etc. with the SPF entry.

~all

softfail

Allows to send the email, and if something is wrong will mark it like softfail.

?all

neutral

Without policy

Difference between ~all and -all

If your domain is under an SPAM attack trying to spoofing your domain, try to change the SPF to -all for a while, and reset to ~all when the attack ends.
Keep selected the -all if you want to be strict with the SPF entry and you are sure that your DNS entry is correct.

How to test it

Have a lot of SPF tools to check if the DNS entry is correct, for example:

Deprecated SPF RR, use TXT RR only

In April 2014, the SPF DNS record was deprecated in the RFC, and the correct way to implement the SPF is using only a TXT DNS record.
For example, this was a valid DNS entries before April 2014, TXT and SPF:

Known issue on ZCS 8.7.x

Edit (as root) script file /opt/zimbra/libexec/zmdkimkeyutil and replace all '2048' occurences with '1024'. This will allow creation of DKIM key with length 1024 and set it as default value.

Run /opt/zimbra/libexec/zmdkimkeyutil -u -d yourdomain.com

Update your DNS records.

After changes in the script you still can create 2048 bit keys, using option -b:

/opt/zimbra/libexec/zmdkimkeyutil -u -b 2048 -d yourdomain.com

DMARC

DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is a technical specification created by a group of organizations that want to help reduce the potential for email-based abuse by solving a couple of long-standing operational, deployment, and reporting issues related to email authentication protocols.

DMARC standardizes how email receivers perform email authentication using the well-known SPF and DKIM mechanisms. This means that senders will experience consistent authentication results for their messages at AOL, Gmail, Hotmail, Yahoo! and any other email receiver implementing DMARC. We hope this will encourage senders to more broadly authenticate their outbound email which can make email a more reliable way to communicate.

rDNS

The reverse DNS resolution (rDNS) is a determination of the domain name that is associated to an IP. Some email companies like AOL, for example, will reject any email that doesn't have a valid rDNS.

Where needs to be configured?

To have a perfect match between the rDNS and the SMTP Banner of the server, need to have the next:

In the public DNS of the ISP provider. Or if you have control of the public DNS of your IP range, then you can add the rDNS by yourself.

In the Zimbra Server, need to edit the HELO to match between it and the rDNS record.

How to configure it?

To modify the Public DNS to match the IP and the rDNS, you need to contact with your ISP provider, or if you have acces to edit the DNS record of your IP, then change it by yourself.
For example, if you have the IP 60.60.60.60 and needs to resolve to mail.example.com.

To edit the SMTP Banner and match it with the external rDNS. Need to edit the next in Zimbra:
Zimbra 8.0.X